CVE-2026-53174
Analyzed Analyzed - Analysis Complete

Linux Kernel OverlayFS Directory Traversal Flaw

Vulnerability report for CVE-2026-53174, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-07-06

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: ovl: keep err zero after successful ovl_cache_get() ovl_iterate_merged() stores PTR_ERR(cache) in err before checking IS_ERR(cache). On success err holds the truncated cache pointer and can be returned as a bogus non-zero error. The syzbot reproducer reaches this through overlay-on-overlay readdir: getdents64 iterate_dir(outer overlay file) ovl_iterate_merged() ovl_cache_get() ovl_dir_read_merged() ovl_dir_read() iterate_dir(inner overlay file) ovl_iterate_merged() Only compute PTR_ERR(cache) on the error path.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-07-06
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.19 (inc) to 7.0.13 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's overlay filesystem code. Specifically, the function ovl_iterate_merged() incorrectly stores an error code pointer (PTR_ERR(cache)) in a variable named err before checking if the cache pointer is actually an error (IS_ERR(cache)). If the cache pointer is valid (not an error), err still holds a non-zero value that looks like an error, which can cause the function to return a bogus error instead of success.

The issue occurs during overlay-on-overlay directory reading operations, where nested overlay filesystems are involved. The fix ensures that PTR_ERR(cache) is only computed on the error path, preventing err from holding a misleading non-zero value after a successful cache retrieval.

Impact Analysis

This vulnerability can cause functions that read directories in overlay filesystems to incorrectly report errors even when operations succeed. This may lead to unexpected failures or incorrect behavior in applications or systems relying on overlay filesystems, especially when overlay filesystems are nested.

Such incorrect error reporting could disrupt file system operations, potentially causing application errors, system instability, or data access issues in environments using overlay filesystems.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53174. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart